[VIM] ProFTPD mess from 1999

Brian Martin bmartin at tenablesecurity.com
Wed Feb 4 06:32:27 UTC 2009


Back in the day, there was a mess of ProFTPd vulnerabilities posted. It 
appears that they ended up as one CVE entry even though there were at least 
three distinct issues posted. It gets worse if you look at the vendor 
changelog for that time period, suggesting there may have been many more 
vulnerabilities fixed.

I ran across this mess a few nights ago at the end of my work day (4AM) and 
gave George a heads-up. He looked at the three issues (Nessus has had plugins 
for each for some time) and added mail list references to each to help me 
distinguish them, saving me a lot of time and a royal headache. After that I 
did some more research because neither of us were sure if one issue was fixed 
by a specific release.

All in all, this should clear up a lot of confusion over these old issues, and 
possibly point out there are additional vulnerabilities that should be documented.

proftpd_mkdir_overflow.nasl (Plugin 10189), OSVDB 144:
exploit for 1.2.0pre1 - 1.2.0pre3 posted by acidrain at HACKBOX.COM:
http://archives.neohapsis.com/archives/bugtraq/1999-q3/0632.html
temporary workaround:
http://archives.neohapsis.com/archives/bugtraq/1999-q3/0649.html
patch, says issue is due to src/log.c log_xfer() function:
http://archives.neohapsis.com/archives/bugtraq/1999-q3/0651.html
second exploit for same issue:
http://archives.neohapsis.com/archives/bugtraq/1999-q3/0653.html
fix, up to 1.2.0pre4 ?:
http://archives.neohapsis.com/archives/bugtraq/1999-q3/0676.html

At this point, it isn't fully clear if 1.2.0pre4 fixed the issue. While the 
timing of the vendor's mail (Aug 30) referring to the 'exploit this weekend' 
(Aug 27) seems straight-forward, the vendor's changelog has what appears to be 
a fix some 10 before that. The same changelog does not have consistent 
reference to release versions either.

1999-09-07 16:09  macgyver
         * modules/: mod_auth.c, mod_log.c, mod_ls.c, mod_site.c, mod_tar.c,
         mod_test.c, mod_unixpw.c, mod_xfer.c: Removed unsafe buffer copies
         that may have been potential problems.  Implemented the 'real'
         patch for the MKD/log security issues.

proftpd_overflow.nasl (Plugin 10190), OSVDB 51719:
mkdir attack against 1.2.0pre4, discovered by Renaud:
http://archives.neohapsis.com/archives/bugtraq/1999-q3/0816.html

proftpd_pre6_exploit.nasl (Plugin 10191), OSVDB 51720:
vague warning 1.2.0pre6 is vuln by tymm at COE.MISSOURI.EDU:
http://archives.neohapsis.com/archives/bugtraq/1999-q3/0974.html
patch for vuln:
http://archives.neohapsis.com/archives/bugtraq/1999-q3/0995.html
exploit, NLST overflow POC, 1.2.0pre7 should fix:
http://archives.neohapsis.com/archives/bugtraq/1999-q3/1009.html

Now, the real mess. The following is from the Changelog distributed with 
1.2.5, the oldest version I saw available on ftp.proftpd.org.

These are the only three entries related to versions:

1999-10-04 16:35  macgyver
         * include/version.h: Updated to pre8.

1999-09-16 20:55  macgyver
         * include/version.h: Bumped version number.

1999-03-09 17:19  flood
         * changelog, include/version.h: Version 1.2.0pre3

There is a huge gap between pre3 and pre8 time wise, with only one indication 
of "bumped version number", not much help. Then it goes downhill.. look at all 
of the security related fixes (and a few that may be, but not clear):

[..]

1999-09-29 23:10  macgyver
         * modules/mod_auth.c: Fix a potential security hole.

1999-09-17 00:31  macgyver
         * contrib/mod_mysql.c, contrib/mod_ratio.c, include/support.h,
         modules/mod_auth.c, modules/mod_core.c, modules/mod_log.c,
         modules/mod_ls.c, modules/mod_pam.c, modules/mod_tar.c,
         modules/mod_test.c, modules/mod_xfer.c, src/auth.c, src/dirtree.c,
         src/fs.c, src/ftpcount.c, src/log.c, src/main.c, src/pool.c,
         src/support.c, src/utils.c: Implemented sstrncpy to handle proper
         buffer copying issues on all platforms.

1999-09-16 21:06  macgyver
         * src/log.c: More intelligent handling of logfiles to avoid a
         potential race condition.

1999-09-16 00:42  macgyver
         * src/main.c: Fixed a silly, yet insidious, way to overflow a
         buffer.

1999-09-10 00:46  macgyver
         * src/support.c: Fixed remaining buffer issues in sreplace.

1999-09-07 16:13  macgyver
         * contrib/mod_ratio.c: Fixed some potential buffer issues.

1999-09-07 16:13  macgyver
         * contrib/mod_pam.c: Some minor security updates to fix potential
         buffer problems.

1999-09-07 16:09  macgyver
         * modules/: mod_auth.c, mod_log.c, mod_ls.c, mod_site.c, mod_tar.c,
         mod_test.c, mod_unixpw.c, mod_xfer.c: Removed unsafe buffer copies
         that may have been potential problems.  Implemented the 'real'
         patch for the MKD/log security issues.

1999-09-07 16:08  macgyver
         * modules/mod_core.c: Added in Bandwidth patch for bandwidth
         control.  Security cleanups -- removed lots of unsafe buffer
         copies.

1999-01-27 14:06  flood
         * changelog, include/support.h, modules/mod_ls.c, src/fs.c,
         src/support.c: More possibly MKD/CWD 'sploits fixed, and mod_ls
         workin well.

[..]

If you count the ones that are clearly security related, there are more than 3 
issues fixed. The 1999-09-17 fix includes src/log.c in the sstrncpy fixes, so 
   that is ten days before the first exploit was published. We don't know if 
he fixed it in advance in the dev tree, and someone found it shortly after, or 
if this was a second distinct issue fixed before the the one posted. Mention 
of a race condition in log.c, overflow in main.c and "buffer issues" all over 
the place. mod_pam.c "buffer problems" are definitely security related. 
1999-09-07 and 1999-01-27 mention the MKD security issues, the 1999-01-27 
entry may correspond to the Bindview 'palmetto' vulnerability (information 
forthcoming shortly that may clear that up). The 1999-09-07 mention of MKD 
says it is the 'real' patch for the "MKD/log security issues", which closely 
matches the disclosure 10 days later.

When I get time (after ShmooCon probably), I will try to sort out the 
changelog better and create entries on OSVDB as needed.

Brian
Tenable Network Security




More information about the VIM mailing list